[
https://issues.apache.org/jira/browse/CARBONDATA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049326#comment-17049326
]
XuCongying commented on CARBONDATA-3729:
----------------------------------------
I found that the buggy methods of the CVEs are in the program execution path of
your project, which makes your project at risk. I have suggested some version
updates. Here is the detailed information:
* *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2
* *Call Chain to Buggy Methods:*
** *Some files in your project call the library method
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String),
which can reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java
*** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration),
which can reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java,
core/src/main/java/org/apache/carbondata/core/datastore/impl/FileFactory.java
*** One of the possible call chain:
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.security.UserGroupInformation.getCurrentUser(), which can
reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/util/Auditor.java,
common/src/main/java/org/apache/carbondata/common/logging/LogService.java,
*** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.security.UserGroupInformation.getLoginUser(), which can reach
the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
core/src/main/java/org/apache/carbondata/core/util/CarbonUtil.java
*** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Some files in your project call the library method
org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the
buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
*** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java,
core/src/main/java/org/apache/carbondata/core/datamap/DataMapUtil.java,
core/src/main/java/org/apache/carbondata/core/util/CarbonProperties.java
*** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy
method]
** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs.
From 2.7.2 to 3.2.1, 20 of the APIs (called by 81 times in your project) were
modified.
** Files in your project:
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java,
processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java
* One of the possible call chain:
{{org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean)
org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String)
[buggy method]}}
** *Some files in your project call the library method
org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean),
which can reach the buggy method of
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> Please avoid using libraries with CVEs
> --------------------------------------
>
> Key: CARBONDATA-3729
> URL: https://issues.apache.org/jira/browse/CARBONDATA-3729
> Project: CarbonData
> Issue Type: Bug
> Reporter: XuCongying
> Priority: Major
>
> Hi, I noticed that your project are using vulnerable libraries which are
> related to some CVEs. To prevent potential security risks it may cause, I
> suggest to update the library dependency. See below for more details:
>
> Vulnerable Library Version: org.scala-lang : scala-compiler : 2.11.8
> CVE ID:
> [CVE-2017-15288](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15288)
> Import Path: integration/spark-common/pom.xml
> Suggested Safe Versions: 2.11.12, 2.12.10, 2.12.4, 2.12.5, 2.12.6, 2.12.7,
> 2.12.8, 2.12.9, 2.13.0, 2.13.0-M1, 2.13.0-M2, 2.13.0-M3, 2.13.0-M3-f73b161,
> 2.13.0-M4, 2.13.0-M4-pre-20d3c21, 2.13.0-M5, 2.13.0-M5-1775dba,
> 2.13.0-M5-5eef812, 2.13.0-M5-6e0cba7, 2.13.0-RC1, 2.13.0-RC2, 2.13.0-RC3,
> 2.13.1
> Vulnerable Library Version: org.apache.lucene : lucene-queryparser : 6.3.0
> CVE ID:
> [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629)
> Import Path: datamap/lucene/pom.xml
> Suggested Safe Versions: 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.1.0, 7.2.0,
> 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0,
> 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
> Vulnerable Library Version: org.apache.hive : hive-service : 1.2.1
> CVE ID:
> [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083),
> [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521)
> Import Path: integration/hive/pom.xml
> Suggested Safe Versions: 1.2.2, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1,
> 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1, 3.1.2
> Vulnerable Library Version: com.google.guava : guava : 14.0.1
> CVE ID:
> [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237)
> Import Path: datamap/bloom/pom.xml
> Suggested Safe Versions: 24.1.1-android, 24.1.1-jre, 25.0-android,
> 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android,
> 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android,
> 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre
> Vulnerable Library Version: org.apache.hive : hive-exec : 1.2.1
> CVE ID:
> [CVE-2018-11777](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11777),
>
> [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521),
> [CVE-2018-1314](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1314)
> Import Path: integration/hive/pom.xml
> Suggested Safe Versions: 2.3.4, 2.3.5, 2.3.6, 3.1.1, 3.1.2
> Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.3.4
> CVE ID:
> [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678),
>
> [CVE-2018-3826](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3826),
>
> [CVE-2018-11770](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11770)
> Import Path: examples/spark2/pom.xml,
> integration/spark-common-test/pom.xml, integration/presto/pom.xml,
> integration/spark2/pom.xml, datamap/mv/core/pom.xml, datamap/mv/plan/pom.xml
> Suggested Safe Versions: 2.4.5
> Vulnerable Library Version: org.apache.spark : spark-core_2.11 : 2.4.4
> CVE ID:
> [CVE-2017-7678](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7678)
> Import Path: integration/spark2/pom.xml, datamap/mv/plan/pom.xml
> Suggested Safe Versions: 2.4.5
> Vulnerable Library Version: org.apache.lucene : lucene-core : 6.3.0
> CVE ID:
> [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163)
> Import Path: datamap/lucene/pom.xml
> Suggested Safe Versions: 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2,
> 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1,
> 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0,
> 8.3.1, 8.4.0, 8.4.1
> Vulnerable Library Version: org.apache.hive : hive-jdbc : 1.2.1
> CVE ID:
> [CVE-2016-3083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3083),
>
> [CVE-2015-7521](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7521),
> [CVE-2018-1282](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1282)
> Import Path: integration/hive/pom.xml
> Suggested Safe Versions: 2.3.3, 2.3.4, 2.3.5, 2.3.6, 3.0.0, 3.1.0, 3.1.1,
> 3.1.2
> Vulnerable Library Version: org.apache.thrift : libthrift : 0.9.3
> CVE ID:
> [CVE-2018-1320](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320)
> Import Path: format/pom.xml
> Suggested Safe Versions: 0.12.0, 0.13.0
> Vulnerable Library Version: org.apache.hadoop : hadoop-hdfs : 2.7.2
> CVE ID:
> [CVE-2018-11768](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11768)
> Import Path: core/pom.xml, processing/pom.xml
> Suggested Safe Versions: 2.10.0, 2.8.5, 2.9.2, 3.1.2, 3.1.3, 3.2.0, 3.2.1
> Vulnerable Library Version: org.apache.zookeeper : zookeeper : 3.4.7
> CVE ID:
> [CVE-2018-8012](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012),
>
> [CVE-2019-0201](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201),
> [CVE-2017-5637](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637)
> Import Path: core/pom.xml
> Suggested Safe Versions: 3.4.14, 3.5.5, 3.5.6, 3.5.7
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.5
> CVE ID:
> [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029),
> [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009)
> Import Path: integration/flink/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
> Vulnerable Library Version: org.apache.hadoop : hadoop-common : 2.7.2
> CVE ID:
> [CVE-2016-5393](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5393),
>
> [CVE-2018-8009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009),
>
> [CVE-2016-6811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6811),
>
> [CVE-2017-15718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15718),
>
> [CVE-2016-3086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3086),
>
> [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713),
> [CVE-2018-8029](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029)
> Import Path: core/pom.xml, processing/pom.xml, common/pom.xml
> Suggested Safe Versions: 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
> Vulnerable Library Version: org.apache.httpcomponents : httpclient : 4.3.4
> CVE ID:
> [CVE-2014-3577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577),
> [CVE-2015-5262](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262)
> Import Path: examples/spark2/pom.xml, integration/hive/pom.xml,
> integration/spark2/pom.xml, store/sdk/pom.xml
> Suggested Safe Versions: 4.3.6, 4.4, 4.4-alpha1, 4.4-beta1, 4.4.1, 4.5,
> 4.5.1, 4.5.10, 4.5.11, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9
> Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind :
> 2.6.5
> CVE ID:
> [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485),
>
> [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840),
>
> [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330),
>
> [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384),
>
> [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439),
>
> [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362),
>
> [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307),
>
> [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721),
>
> [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719),
>
> [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489),
>
> [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531),
>
> [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086),
>
> [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095),
>
> [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718),
>
> [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943),
>
> [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814),
>
> [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361),
>
> [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360),
>
> [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720),
>
> [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942),
> [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525)
> Import Path: store/sdk/pom.xml
> Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
> Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind :
> 2.8.1
> CVE ID:
> [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814),
>
> [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485),
>
> [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307),
>
> [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489),
>
> [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360),
>
> [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439),
>
> [CVE-2017-15095](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095),
>
> [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943),
>
> [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379),
>
> [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720),
>
> [CVE-2018-12023](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023),
>
> [CVE-2017-7525](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525),
>
> [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840),
>
> [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330),
>
> [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384),
>
> [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086),
>
> [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721),
>
> [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719),
>
> [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531),
>
> [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718),
>
> [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362),
>
> [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361),
>
> [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942)
> Import Path: integration/presto/pom.xml
> Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3
> Vulnerable Library Version: org.apache.solr : solr-core : 6.3.0
> CVE ID:
> [CVE-2017-12629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12629),
>
> [CVE-2018-8010](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8010),
>
> [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163),
>
> [CVE-2017-7660](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7660),
>
> [CVE-2017-9803](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803),
>
> [CVE-2017-3164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164),
>
> [CVE-2018-8026](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8026),
> [CVE-2019-0192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192)
> Import Path: datamap/lucene/pom.xml
> Suggested Safe Versions: 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0,
> 8.3.0, 8.3.1, 8.4.0, 8.4.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
